Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Other available versions:

Versions 6 and 7 | Version 5 | Version 4Link: What version am I on?

Code42 Support

Alerts reference

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Other available versions:

Versions 6 and 7 | Version 5 | Version 4Link: What version am I on?

Overview

Code42 Alerts let you know when important data may be leaving your company. You can also use Alerts to view or update the different alert rules you have in your Code42 environment that trigger these notifications.

This article is a reference guide with detailed descriptions of each item in Code42's Alerts. For information on creating and configuring security alerts, see Create and manage alerts.

Considerations

Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Review Alerts

Alert notifications appear on the Review Alerts tab when thresholds defined in alert rules are exceeded. 

To view alert notifications:

  1. Sign in to the administration console.
  2. Select Alerts > Review Alerts

Review Alerts tab of Alerts

Item Description
a Create Rule Creates a new rule to alert you when important data may be leaving your company.
b Review Alerts

Displays all of your alerts for the selected filters. 

c Manage Rules Displays all of the security alert rules that have been created. For more information, see Manage Rules below.
d Filter types

Filters your view of alerts by the following: 

 

Event

  • Date Observed: Date the alert was triggered
  • Username/Actor: The Code42 username or cloud service alias (actor) of the person who caused the event

Alert

The alert filters are based on options you selected or entered when creating the rule for the alert.

  • Severity: Low, Medium, or High
  • Rule Name
  • Description
  • Alert State (default filter): Open or Dismissed
  • Alert ID: Used by Code42 to present filtered results from alert notification emails
e Operator

Search operator options vary based on search type.

  • Single value
    • Is: Returns alerts that match the criteria
    • Is not: Excludes alerts that match the criteria
    • Contains: Includes alerts that match the criteria
    • Does not contain: Excludes alerts that match the criteria
    • On: Returns alerts triggered on this date
    • On or after: Returns alerts triggered on or after this date
    • On or before: Returns alerts triggered on or before this date
    • Between: Returns alerts triggered between these dates
  • Multi-value (OR)
    • Is either: Returns alerts that match any item in the list of criteria. This filter is evaluated as though the "OR" operator exists between each value.
    • Is neither: Returns alerts that do not match the items included in the list of criteria
f Criteria

Defines the criteria for the search.

 

For multi-value searches (Is either or Is neither), enter each value on a separate line. Do not enter a comma-separated list.

 

Wildcards are not supported.

g Remove filter Remove filter Removes this filter.
h Add filter Add filter Adds another filter. Results only return events that match all filters.
i Select all Selects all alerts and presents an action button (Reopen or Dismiss). Click the button to perform that action on all selected alerts at once.
j Column sort Sort column Click the column header to sort results by this column in ascending or descending order. 
k View Details View alert details Click to view alert details for this notification. Includes file event information, file count and size, and file categories involved in the event.
l Dismiss Dismiss alert notification or Reopen Reopen alert notification alerts

Click to dismiss or reopen alerts. 

  • Dismiss: Removes this individual alert from the list of open alerts. This also dismisses the notification for any teammates. To stop all alerts for this specific activity, select the Manage Rules tab and disable the alert. 
  • Reopen: Adds this alert back to the list of open alerts on the Review Alerts tab.
m Default alert indicator Identifies default alerts from the Departing Employees application or High Risk Employees application.

Alert details

For any alert listed on Review Alerts,  click View Detail View alert details to see more information about the alert notification.

Alert details vary depending on the type of activity that triggered the alert. Specific alerts may display different details than those shown in the example below. 

Alert details for the notification

Item Description
a Alert name The name of the rule that was entered when the rule was created. If the rule is a default alert from the Departing Employees application or High Risk Employees application, the default alert indicator identifies it as such.
b Description

The description of the rule that was entered when the rule was created. 

c Severity The severity of the rule that was selected when the rule was created.
d Username or Actor

The Code42 username or the cloud alias associated with the file events that triggered the alert.

e Exposure Type or Permission Changed To

The type of exposure that triggered the alert. 

 

For Exposure on an endpoint alerts, Exposure Type lists the type of file activity on an endpoint that triggered the alert. This kind of activity also appears on the Endpoint File Activity dashboard.

  • Read by browser or other app: Files are uploaded by a browser or an app, such as Slack, FTP client, or curl.
  • Activity on removable media: Data is moved to removable media, such as a USB drive.
  • Moved to cloud sync folders: File activity in common cloud sync folders on a user's device exceeds the File size and count thresholds that were selected when the rule was created

For Cloud share permission changes alerts (not shown in image above), Permission Changed To indicates the change by which a file stored in a cloud service becomes publicly accessible. This kind of activity also appears on the Cloud File Activity dashboard.

  • Public on the web (Google Drive only): The file is available on public search engines and accessible to the entire internet. Users do not need to be signed in to a cloud services account to see the file. The method used to share the file appears in Google Drive as "Public on the Web." 
  • Public via direct link: The file is not listed in public search engines, but is available to anyone who accesses the link. Users do not need to be signed in to a cloud services account to see the file. The method used to share the file appears within the cloud service as follows:
    • Microsoft OneDrive: "Anyone with the link"
    • Google Drive: "Anyone with the link"
    • Box: "People with the link"
  • Shared outside trusted domain: The file has been shared outside of the domains you trust, listed in Administration > Settings > Trusted Domains. The domains and email addresses with which the file was shared are listed under Shared with.
Not available in the Code42 federal environment
The cloud share permission changes rule type is not available in the Code42 federal environment
f Time Range of Events

Displays the time period in which the file activity occurred.

  • The time frame starts when the file activity begins. 
  • An alert is sent five minutes after the threshold is exceeded. This five-minute delay reduces alert "noise," since users can move a lot of data in a few quick clicks. For example, you choose a time window of 1 hour when you set up the alert rule. An employee starts moving files at 10:42 a.m. and exceeds the threshold at 10:55 a.m. An alert is sent to you five minutes later at 11:00 a.m. with combined totals for everything that was moved between 10:42 a.m. and 11:00 a.m.
Shared with

For Cloud share permission changes alerts, Shared with identifies the domains (such as "example.com") and email addresses (such as "first.lastname@example.com") the file has been shared with that are outside of the domains you trust.

 

Microsoft OneDrive does not provide email addresses to Code42. Therefore, email addresses that are outside of the domains you trust cannot be listed here for files shared in OneDrive.

 

Only the first 10 email addresses are listed. Investigate in Forensic Search to view other email addresses the file has been shared with that are outside trusted domains.

g Number of Files The total number of files impacted by the suspected exposure. 
h Total File Size The combined file size for the files impacted by the suspected exposure.
i File Categories The file categories of the files identified by this alert (for example:  Spreadsheet, Zip files).
j File events

The filename and path of the file that generated the alert.

 

Only the first 10 files are listed. Investigate in Forensic Search to view any other files that generated the alert.

k Dismiss Alert Click to remove this individual alert notification from the list of open alerts. This dismisses the notification for any teammates.
l Investigate in Forensic Search Click to see these files in Forensic Search.

Manage Rules

Use the Manage Rules tab to view, edit, duplicate, and delete existing alert rules that trigger alert notifications.

To add or edit alert rules:

  1. Sign in to the administration console.
  2. Select Alerts > Manage Rules

Manage Rules tab of Alerts

Item Description
a Create Rule Creates a new rule that you can use to alert you when important data may be leaving your company.
b Review Alerts

Displays all of your alerts for the selected filters. For more information, see Review Alerts above.

c Manage Rules Displays all of the alert rules you have created. 
d Rule Name Name entered for the rule when it was created.
e Severity Severity of the alert that was selected when the rule was created.
f Created Date the rule was created.
g Last Modified Date the rule was last changed. 
h Enable

Click to enable or disable rules.

  • Enable: Allows the rule to notify of you of potential file exfiltration based on its settings. 
  • Disable: Stops the alert from firing for all users that were added to the rule. The alert will no longer generate new notifications on the Review Alerts tab.
i Column sort Hover over any column header to see the sort option. Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order.
j Edit Edit alert rule Click to edit an alert rule. For information on the values you can change, see Create and manage alerts.
k Actions Actions for alert rule Click to make a copy of an existing rule or to delete a rule.
l Departing Employees or High Risk Employees badge Indicates a rule created by default when employees are added to the Departing Employees application or the High Risk Employees application
m Locked settingLocked setting Indicates that you cannot enable or disable this alert here. This rule is for the Departing Employees application and can be enabled or disabled from Detection > Departing Employees > Alert Settings.
n Rules per page Select to display 5, 10, 25 rules per page.
o Pagination Click the right and left arrows to scroll through pages of rules.
  • Was this article helpful?